package handlers

import (
	"context"
	"log/slog"
	"strings"

	"atcr.io/pkg/auth/oauth"
)

// isOAuthError checks if an error indicates OAuth authentication failure
// These errors indicate the OAuth session is invalid and should be cleaned up
func isOAuthError(err error) bool {
	if err == nil {
		return false
	}
	errStr := strings.ToLower(err.Error())
	return strings.Contains(errStr, "401") ||
		strings.Contains(errStr, "403") ||
		strings.Contains(errStr, "invalid_token") ||
		strings.Contains(errStr, "invalid_grant") ||
		strings.Contains(errStr, "use_dpop_nonce") ||
		strings.Contains(errStr, "unauthorized") ||
		strings.Contains(errStr, "token") && strings.Contains(errStr, "expired") ||
		strings.Contains(errStr, "authentication failed")
}

// handleOAuthError checks if an error is OAuth-related and invalidates UI sessions if so
// Returns true if the error was an OAuth error (caller should return early)
func handleOAuthError(ctx context.Context, refresher *oauth.Refresher, did string, err error) bool {
	if !isOAuthError(err) {
		return false
	}

	slog.Warn("OAuth error detected, invalidating sessions",
		"component", "handlers",
		"did", did,
		"error", err)

	// Invalidate all UI sessions for this DID
	if delErr := refresher.DeleteSession(ctx, did); delErr != nil {
		slog.Warn("Failed to delete OAuth session after error",
			"component", "handlers",
			"did", did,
			"error", delErr)
	}

	return true
}